Expand my Community achievements bar.

SOLVED

AEM POST service throws 401 unauthorized

Avatar

Level 2
Level 2
1/28/18 11:26:00 PM

Hi

I am trying to write a post service in aem to which i am sending data in the request body.

To read the data, i have a sling Post servlet where i am expecting to get the data sent by post via request.getReader().

To test this post servlet, i have created another servlet in the same instance which has a doGet() and the following code:

I am hitting this servlet's path in my instance to execute the following code.

CloseableHttpClient httpClient = HttpClients.createDefault();

HttpPost postRequest = new HttpPost("http://localhost:4502/bin/testingPost"); //the post servlet's path

StringEntity input = new StringEntity("<Comment>hello</Comment>");

input.setContentType("text/xml");

postRequest.setEntity(input);

HttpResponse httpResponse = httpClient.execute(postRequest);

However, i get a 401 in httpResponse while trying to access the post servlet with the path "http://localhost:4502/bin/testingPost".

I have referred a few forums where they have mentioned about removing post from Apache Sling Referer Filter and also about CSRF token but that is of no use.

And also that's not recommended as mentioned in the forums for security reasons.

ex: Apache httpclient post throws resposne status 401 Unauthorized error

However, by making the above configuration in OSGI felix console, i could do an ajax call to my post servlet which was giving me a 403 otherwise but i want to be able to hit the post servlet using the java code mentioned above.

Can you please suggest something as soon as possible.

Thank you.

Views

8.3K

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Administrator
Administrator
1/31/18 2:45:30 AM

It is not considered as a best practice to use httpclient to send a HTTP request to AEM itself.

Because this request needs authentication. When you make httpclient call to the servlet it requires cookie object. In servlet code you will not get the cookie object, so you are getting 401 unauthorized error. If you do the GET call, you can get the cookie from request object and set the cookie attribute in httpclient.

To get this working set credentials in httpclient again not a good practice.

-Kautuk



Kautuk Sahni

View solution in original post

Views

6.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Level 10
Level 10
1/29/18 8:42:50 AM

I wrote a tool that posts files to AEM Sling Servlets. I got a around this issue - details here: Scott's Digital Community: Creating Java Swing applications that post files to AEM ClientLibs folder...

Views

6.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/30/18 12:49:52 AM

I missed out on a very important thing here actually.

For now, i am testing my post servlet by using http client code in localhost itself. But actually, there will be a third party call to the sling post servlet.

So, when i try to hit my sling post servlet via POSTMAN, i am able to get response only if i do the following:

1. Provide basic Auth (username and password) while making the call.

2. In OSGI configuartion,

     I have enabled allow empty in Apache sling referrer filter.

     In Apache Granite CSRF filter, i have removed POST.

Is there any other way possible without making the OSGI config changes (CSRF and Referrer filter)?

Views

6.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Administrator
Administrator
1/31/18 2:45:30 AM

It is not considered as a best practice to use httpclient to send a HTTP request to AEM itself.

Because this request needs authentication. When you make httpclient call to the servlet it requires cookie object. In servlet code you will not get the cookie object, so you are getting 401 unauthorized error. If you do the GET call, you can get the cookie from request object and set the cookie attribute in httpclient.

To get this working set credentials in httpclient again not a good practice.

-Kautuk



Kautuk Sahni

Views

6.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/31/18 7:21:07 AM

As Kautuk suggested, you need to specify the creds in the HTTP POST or remove authen for that specific servlet.

Views

6.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
1/31/18 12:53:13 PM

On author authentication is required by default for every request (besides some exceptions to display the login page). The situation is different on publish instances, so you should start testing against publish instances (if that is your final usecase).

The next step are the various filters. AEM assumes by default, that users are accessing a webpage and not necessarily machines; and a browser will always send a referer header. So should your code to pass the Referer filter.

And then your code is called.

Jörg

Views

6.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
1/1/25 10:08:33 AM

Hi, Did you got Solution for this??
Actually i am suffering from same problem

Views

424

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Call scheduler from aem workflow Solved

Views

111

Likes

0

Replies

3
AEM cloud dispatcher scripts Solved

Views

120

Likes

0

Replies

4
Problem with the AEM dispatcher rewrite rules

Views

141

Likes

0

Replies

6
AEM content fragments sometimes blank out upon navigation

Views

74

Likes

0

Replies

2
Issue with renaming translation Job in AEM

Views

60

Likes

0

Replies

1